Current Problem

The current AwsStorageService implementation in server/src/main/java/org/eclipse/openvsx/storage/AwsStorageService.java only supports static AWS credentials (access key ID and secret access key) configured via:

ovsx.storage.aws.access-key-id
ovsx.storage.aws.secret-access-key

Limitations of current implementation:

1. No session token support - Cannot use temporary credentials from AWS STS
2. No IRSA support - Cannot leverage Kubernetes service account IAM roles
3. Static credentials only - Requires long-lived IAM user credentials
4. No credential rotation - Manual process to update credentials when they expire

Impact on deployment scenarios:

• Kubernetes deployments: Cannot use IRSA, forcing the use of static credentials stored as secrets
• AWS ECS/Fargate: Cannot leverage task roles effectively
• Security compliance: Violates best practices for credential management

Expected Behavior

The OpenVSX AWS Storage Service should support modern AWS authentication methods including:

1. Temporary credentials with session tokens - For use with AWS STS assume role operations
2. IRSA (IAM Roles for Service Accounts) - For Kubernetes deployments where pods can assume IAM roles without storing static credentials
3. AWS Default Credential Provider Chain - To automatically discover credentials from various sources (environment variables, instance profiles, credential files, etc.)

This would enable:

• Secure deployment in Kubernetes clusters using IRSA
• Integration with AWS services that provide temporary credentials
• Better security practices by avoiding long-lived static credentials
• Support for credential rotation and automatic credential management

Steps to Reproduce

1. Deploy OpenVSX in a Kubernetes cluster with IRSA configured
2. Set up a service account with an IAM role that has S3 permissions
3. Try to configure OpenVSX to use the IRSA credentials
4. Observe that OpenVSX fails to authenticate with S3 because it only looks for static credentials

Current workaround:

• Create an IAM user with static credentials
• Store credentials in Kubernetes secrets
• Configure OpenVSX with static credentials via environment variables

Test case for IRSA:
bash

Environment variables that should be automatically detected

export AWS_ROLE_ARN="arn:aws:iam::123456789012:role/openvsx-s3-role"
export AWS_WEB_IDENTITY_TOKEN_FILE="/var/run/secrets/eks.amazonaws.com/serviceaccount/token"
export AWS_REGION="us-east-1"

OpenVSX should automatically use these for S3 access

Currently fails because it only checks for static credentials

Proposed Solution

Enhance the AwsStorageService to support multiple credential types with the following precedence:

1. Static credentials with session token (temporary credentials)
2. Static credentials without session token (permanent credentials)
3. IRSA credentials (when AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE are present)
4. Default credential provider chain (fallback for other AWS credential sources)

Additional Context

This enhancement would align OpenVSX with AWS security best practices and enable seamless deployment in modern cloud-native environments, particularly Kubernetes clusters using IRSA for secure, credential-less authentication to AWS services.